Blog

Jul 19

Hole in the Cloud Service Bucket: Dow Jones Data Exposed

Is there a hole in your Amazon Web Services bucket?

Many organizations now rely on these cloud-based buckets, or virtual containers, to store and share data. By default, AWS Simple Storage Service, or S3, containers are not publicly accessible, and access can be tightly restricted. But many organizations inadvertently misconfigure their buckets to allow "public" or semi-public access, which can result in data being exposed.

In recent months, organizations including Verizon, World Wrestling Entertainment, Scottrade and Deep Root Analytics have blamed user error for the contents of their S3 buckets being exposed.

Add to that list Dow Jones, a business and financial news company that owns the Wall Street Journal.

On Sunday, Dow Jones said that about 2.2 million customers' details were exposed due to an Amazon S3 bucket misconfiguration.

"We were made aware that certain Dow Jones/WSJ subscriber and Risk & Compliance content was over-exposed on Amazon Cloud (not the open internet)," a Dow Jones spokeswoman tells Information Security Media Group. "This was due to an internal error, not a hack or attack." Exposed details included some customers' names, email and mailing addresses, and the last four digits of their credit card numbers.

The data exposure was discovered by Chris Vickery, a researcher with the cyber risk team at security vendor UpGuard, on May 31. UpGuard says it notified Dow Jones about the security problem on June 5 and that the bucket appeared to have been secured by the next day.

"We immediately remedied the situation and have no reason to believe that any data was taken," the Dow Jones spokeswoman says. "The subscriber data included basic contact information; it did not include full credit card numbers or passwords."

UpGuard "conservatively estimates" that up to 4 million customer details may have been exposed, "though duplicated subscriptions may account for some of the difference," according to a Monday blog post by Dan O'Sullivan, a security researcher at the firm.

"Among the fields populated with data throughout the text files are customer names, internal Dow Jones customer IDs, home and business addresses, and account details, such as the promotional offer under which a customer signed up for a subscription," O'Sullivan says. "Perhaps most critical was the inclusion of the last four digits of customer credit cards in the files, as well as customer email addresses also used to login to their accounts online. A small percentage of customers also had their phone numbers exposed in the files."

Risk & Compliance Data Exposed

Dow Jones says exposed data also included information about individuals and entities included in its risk and compliance products, which are designed to help organizations "comply with anti-money laundering, anti-bribery, corruption and economic sanctions regulation in mitigating third-party risk." But the only data exposed was "content curated exclusively from publicly available sources such as newspaper articles, government-issued watch lists and other publicly available information."

One of the entries recovered by UpGuard, for example, included details relating to deceased Libyan leader Muammar Gaddafi.

Dow Jones didn't comment on whether it planned to notify all affected customers about the data exposure, or whether it used a digital forensic analysis or log data to back up its claim that none of the data appeared to have been stolen.

Exposed to 'Authenticated Users'

UpGuard says the exposed bucket containing customer data "had been configured via permission settings to allow any AWS 'authenticated users' to download the data via the repository's URL." In AWS-speak, an authenticated user is anyone who has registered for a free AWS account. There are now more than 1 million authenticated AWS users.

Amazon says that by default, however, data stored using AWS is only accessible to the account holder. "Well over a million customers continue to use Amazon S3 safely and securely," an Amazon spokeswoman says.

Even so, S3 misconfigurations appear to be rife. "The configuration of cloud-based storage by enterprises to allow public or semi-public access is by now an all-too-common story," UpGuard's O'Sullivan says.

Any bucket-using organization should be able to prevent these types of user errors, provided it has the right policies, practices and monitoring in place, says Chris Pierson, chief security officer and general counsel for payment services firm Viewpost.

"Critical here is the education of all engineers to properly secure any cloud instances it has, to set forth standards to protect the data and controls and to scan to make sure these instances are secure," Pierson tells ISMG.

Verizon, Others, Also Cite User Error

Vickery continues to discover firms that have failed to lock down their buckets by using tools developed by UpGuard that are designed to guess internet addresses of exposed data. The company also sells tools and services designed to help organizations identify these types of configuration problems.

Organizations previously outed by Vickery for leaving their S3 buckets unsecured have included Verizon, WWE, Scottrade and Deep Root Analytics, a data analytics firm aligned with the Republican Party.

Last week, Verizon blamed user error for a misconfiguration problem that resulted in a public-facing bucket exposing data for between 6 million and 14 million Verizon customers.

That followed WWE also citing user error after two misconfigured S3 buckets exposed personal data for 3 million fans. Vickery discovered the buckets earlier this month, and said WWE had them locked down within hours of being notified.

In a statement, Scottrade said that one of its third-party vendors, Genpact, "uploaded a data set to one of its cloud servers that did not have all security protocols in place," thus leaving it exposed. "The file contained commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses. Upon being alerted to the issue, Genpact immediately secured that information and traced the issue to a configuration error on their part while uploading the file."

Scottrade said that "this appears to be a case of isolated human error by the vendor in handling the data set" and noted that none of its own, internal systems were affected.

Long-Standing Problem

Back in 2013, researchers at security firm Rapid7 reviewed 12,328 Amazon S3 buckets and found that 1,951 of them - 15 percent - were publicly accessible.

In 2011, security researcher Robin Wood reviewed nearly 1,000 buckets and found that 13 percent of them were publicly accessible. Some exposed buckets included sensitive data, such as Social Security numbers.